What's holding us back on MFA?
"For smaller organizations, traditional directories are overkill"
Over the past year, we have all seen a huge shift in how we work. For some companies, supporting work from home was no different to how they operated previously, while for others it involved wholesale changes to how systems operate, IT assets are managed and access provided. Every IT team has faced challenges over this twelve month period, and security is one of the biggest, writes Greg Keller, CTO, JumpCloud.
In the Verizon 2021 Data Breach Investigations Report (DBIR), David Smith and Bernard Wilson of the US Secret Service comment that companies without strong approaches to managing identities have suffered more around attacks: “Organisations that neglected to implement multi-factor authentication, along with virtual private networks (VPN), represented a significant percentage of victims targeted during the pandemic. The zero-trust model for access quickly became a fundamental security requirement rather than a future ideal.”
The DBIR flagged that use of stolen credentials was one of three areas of attacks that went up during the lockdown, alongside ransomware and phishing attacks. To combat this, multi-factor authentication (MFA) is one of the most effective ways to control access to resources. Implemented effectively, it can stop unauthorised access to company data or applications. It can also be added quickly and is supported in many applications: Microsoft 365 includes MFA for user accounts, and Google has now started the process of making two-step verification mandatory for all users too.
However, this does not explain why take-up has been poor around MFA. A survey by Coreview found that 78 percent of administrators don’t have Microsoft MFA enabled for their accounts. So while the technology exists, it is not getting used. Why is this?
MFA implementation: Getting over the hurdles
There are several reasons for this. The first is that, while MFA exists, implementing it is not simple.
For many organisations, activating MFA involves understanding what licenses you hold and whether MFA is included in that version. For example, M365 MFA is now available for free to certain M365 pricing tiers such as the Academic® and Nonprofit® plans without any additional purchase or subscription. Outside of this handful of accounts however, you’ll have to pay for support. This can also require you to run a directory that acts as the source for user credentials and access rights.
A directory is essential for this process as it can act as the single source of truth around access control. For smaller organisations, traditional directories are overkill for their circumstances, particularly as they can require physical servers to be installed, secured and managed. Instead, cloud directory services can be used to manage access and provide the right sets of permissions without needing additional hardware to be installed and management overhead incurred.
Another big issue is that supporting access management can get complicated and expensive due to the tools that you have in place. Often, identity management support is included only within higher level paid application tiers aimed at enterprise users, rather than being available for every user. This will normally include MFA support, which can make it more difficult and more expensive for companies to deploy, and hard to get a consistent approach to identity and security in place.
The other major problem is user expectations around MFA. Previous deployments that involved MFA failed because of end user revolts against the technology. They claimed it was too hard for them to use in their workflows as they involved typing token digits from a SMS text or an app into the service. Previously, this was very clunky, as any incident of poor mobile coverage would slow down the process and stop people working.
Today, that should not be a valid reason to avoid MFA. Instead, MFA deployments are much simpler for users to operate. For example, users are now familiar with using their fingerprints or faces to unlock their phones. This device functionality can be used for MFA access and integrated into the overall process. A push alert can then be sent to the device, and the user signed in to their corporate applications automatically.
Security should not be expensive. It should not be anything but business as usual. And it should not depend on additional products in order to add services like MFA. As the Verizon report for this year demonstrates, the rise in attacks around stolen credentials puts the emphasis on how to improve authentication. MFA should be part of how all companies operate over time, particularly as companies continue to support more remote working - making it simple and free to add MFA is the next necessary step to improving security for everyone.
JumpCloud gives organizations the power to layer MFA on top of nearly any resource they need to secure: Windows, Mac, Linux, applications, networks, infrastructure, and more. Paired with Conditional Access policies, admins can help further secure resources by requiring MFA if users are not on trusted devices or trusted networks.